Global Accelerator (GA) offers web service providers a cross-border acceleration solution. GA is integrated with Anti-DDoS Pro and Web Application Firewall (WAF) to mitigate DDoS attacks and web attacks based on high-bandwidth BGP lines and the global transmission network of Alibaba Cloud. Global Traffic Manager (GTM) can interact with GA to conduct fault isolation or traffic failovers.

Background information

A web service is deployed on Alibaba Cloud in US (Silicon Valley). The origin servers are four Elastic Compute Service (ECS) instances associated with Alibaba Cloud elastic IP addresses (EIPs). The web service is deployed on the ECS instances with the domain name www.example.us that is registered outside mainland China. The forwarding port is TCP port 9000. The web service may encounter the following issue:
  • The domain name of the web service is registered outside mainland China and cannot be hosted on servers in mainland China. However, the majority of users are located in mainland China.
  • The web service frequently suffers from web attacks and DDoS attacks, which severely degrades the security and availability of the web service.
  • The cross-border network is unstable. Network issues, such as network latency, network jitter, and packet loss, may frequently occur and degrade the performance of the web service.
  • The origin servers are unstable and services may be interrupted.
Cross-border acceleration
The preceding figure shows how to deploy a GA service to interact with Anti-DDoS Pro, WAF, and GTM. This solution allows you to resolve the preceding issues.
  • Anti-DDoS Pro can mitigate DDoS attacks.

    The Anti-DDoS Pro service is deployed in tap mode. Anti-DDoS Pro is triggered only in specific scenarios. This ensures service quality when no DDoS attack occurs and enhances protection when DDoS attacks are detected.

  • GA can accelerate content delivery between the origin servers and users in accelerated areas.

    Users in mainland China send requests to the Alibaba Cloud acceleration network from the access points in the China (Hong Kong) region. The system forwards the requests to the origin servers in the US (Silicon Valley) region by using intelligent routing and automatic network traffic distribution.

  • WAF can protect your website against a variety of web attacks.

    WAF can detect and block malicious Internet traffic. Non-malicious network traffic is forwarded to the IP addresses of the origin servers. WAF ensures security, stability, and availability of the origin servers.

  • GTM can be used to isolate malfunctioned servers or switch network traffic among multiple origin servers.
    • When the primary server group is working as expected, all user traffic is forwarded to the primary server group.
    • When the primary server group is unavailable, traffic is directed to the secondary server group. After the primary server recovers, traffic is switched back to the primary server group.

Procedure

Procedure

Step 1: Create a GTM instance

GTM is a traffic management service that allows you to manage network traffic from clients in a fine-grained way.

To create a GTM instance, perform the following steps:

  1. Log on to the Alibaba Cloud DNS console.
  2. In the left-side navigation pane, click Global Traffic Manager.
  3. On the Global Traffic Manager page, click Create Instance.
  4. On the buy page, set the following parameters.
    1. Edition: You can select Standard Edition or Ultimate Edition. In this example, Standard Edition is selected.
    2. Quantity: The number of GTM instances that you want to purchase.
    3. Service Time: The service duration of the GTM instance.
  5. Click Buy Now and complete the payment.

Step 2: Configure an access policy

Access policies allow GA to forward requests from different access points to different origin servers. You can also specify secondary origin servers to meet your business demands.

To configure an access policy for GTM, perform the following steps:

  1. Log on to the Alibaba Cloud DNS console.
  2. In the left-side navigation pane, click Global Traffic Manager.
  3. On the Global Traffic Manager page, find the GTM instance that you want to manage, click Configure in the Actions column.
  4. In the Select Configuration Method dialog box, select Quick Start.
  5. In the Access Policy Configurations wizard, set the following parameters:
    1. Policy Name: Enter a name for the access policy.
    2. DNS Request Sources: Select a request source.
      After you specify a region as the request source, when users in this region send requests to the service, GTM distributes the requests to the specified origin server address pool. Global is selected in this example.
    3. Primary Address Pool Set: Click the Primary Address Pool Set tab.
      Primary Address Pool Set specifies the address pool of backend servers to which GTM forwards user traffic.

      Click Create Address Pool and add the IP addresses of Origin Server 1 and Origin Server 2 in the US (Silicon Valley) region to the primary address pool. Then, configure health checks and select the primary address pool. For more information about how to configure health checks,see TCP health checks.

    4. Secondary Address Pool Set: Click Secondary Address Pool Set.
      Secondary Address Pool Set specifies the address pool that takes over when the primary address pool specified by Primary Address Pool Set is unavailable.

      Click Create Address Pool and add Origin Server 3 and Origin Server 4 in the US (Silicon Valley) region to the secondary address pool. Then, configure health checks and select the secondary address pool. For more information about how to configure health checks,see TCP health checks.

  6. Click Next.

Step 3: Configure basic information

After you configure the access policy, you must specify the basic information about the GTM instance. The information includes the domain name, CNAME, global time-to-live (TTL) value, and alert group.

To configure the basic information about GTM, perform the following steps:

  1. In the Basic Configuration wizard, set the following parameters:
    1. Instance Name: Enter an instance name.
      An instance name is used to identify the service to which the instance applies.
    2. Domain Name (Public): Enter a domain name to be accessed by the client. www.example.us is used in this example.
    3. CNAME Access Domain Name: Specify the type of the CNAME for the domain name.
      • Assigned Access Domain Name: Select this option if the IP address pool contains only Alibaba Cloud IP addresses or IP addresses outside mainland China.
      • Custom Access Domain Name: Select this option if the IP address pool contains IP addresses of data centers.

      In this example, the address pool contains only EIPs. Therefore, Assigned Access Domain Name is selected in this example.

    4. Global TTL: The validity period of the IP address to which the domain name is resolved. 1 minute(s) is selected in this example.
      You can use GTM to manage network traffic based on domain names. Global TTL specifies the TTL of the IP address that is cached in the DNS system of the Internet service provider (ISP). By default, the global TTL is set to 1 minute. If you use a custom domain name, the global TTL must be the same as the minimum TTL supported by the Cloud DNS plan of the custom domain name.
    5. Alert Group: the contact group to which a notification is sent when an exception is detected in your workloads.
      Note
      • If you have not configured an alert group, log on to the CloudMonitor console and add a contact group. For more information, see Create an alert contact or alert group.
      • If you have configured a contact group but want to configure the basic information as a Resource Access Management (RAM) user, you must first use your Alibaba Cloud account to authorize the RAM user. After the RAM user is authorized, you can log on as a RAM user to read messages sent to the alert group.
  2. Click Complete.

After you configure the basic information, the system automatically allocates a CNAME to the domain name. User requests destined for the CNAME are resolved to the IP address of the scheduled origin server.

Step 4: Activate WAF

WAF provides security protection based on big data technologies of Alibaba Cloud Security. It defends against common attacks defined by Open Web Application Security Project (OWASP), including SQL injections, Cross-Site Scripting (XSS) attacks, exploits of vulnerabilities in web server plug-ins, Trojan uploads, and unauthorized access to core resources. WAF blocks volumetric HTTP flood attacks to prevent the exposure of website assets and data, and to ensure website security and availability.

This step describes how to purchase a subscription WAF instance.

  1. Go to Alibaba Cloud International Siteand log on to the WAF page with your Alibaba Cloud account.
  2. Click Buy Now.
  3. On the Web Application Firewall buy page, set the following parameters.
    1. Region: Select the region where the WAF instance is deployed.
      In this example, the WAF instance is located in the US (Silicon Valley) region. Therefore, International is selected.
    2. Deployment: Select a plan for WAF. On-cloud WAF is selected in this example.
    3. Plan: Select the edition of WAF that you want to activate.
      Different WAF editions are applicable to various business scales and provide different protection features. For more information, see WAF deployment plans and editions. Enterprise is selected in this example.
    4. Extra Domain: Specify the number of additional domain names.
      If you want to add multiple domains or more than 10 subdomains to WAF, you can purchase additional domain names. For more information, see Additional domain names. Additional domain names are not purchased in this example.
    5. Exclusive IP: Specify the number of exclusive IP addresses.
      You can purchase an exclusive IP address when your domain name needs WAF protection through an exclusive IP address. For more information, see Exclusive IP addresses. Exclusive IP addresses are not purchased in this example.
    6. Extra Traffic: Specify the additional bandwidth value. Unit: Mbit/s.
      If you require additional bandwidth, you can purchase an additional bandwidth plan. For more information, see additional bandwidth plans. 100Mbps is selected in this example.
    7. GSLB: Select whether to enable global load balancing.
      Global load balancing uses the multi-node resilience technology. It distributes network traffic based on multiple nodes or lines to implement disaster recovery and improve service reliability. No is selected in this example.
    8. Access Log Service: Select whether to activate Log Service.
      Log Service retrieves log data from WAF in real time and stores the data. You can query and analyze the log data, and generate analytics reports online. No is selected in this example.
    9. Bot Manager: Select whether to enable this feature.
      To mitigate security threats caused by bot traffic, you can enable this feature. For more information, see Set a bot threat intelligence rule and Configure the allowed crawlers function. No is selected in this example.
    10. Mobile App Protection: Select whether to enable this feature.
      You can enable this feature if your business supports native applications and you have security requirements for your business, such as trusted communication and prevention of bot scripts. For more information, see Configure application protection. No is selected in this example.
    11. Validity Period: Select the duration of the WAF service.
  4. Click Buy Now and pay for the order.

Step 5: Add website configurations

After WAF is activated, you must configure the forwarding rules for the website protected by WAF.

Perform the following steps to route user traffic to WAF before it reaches the domain name protected by WAF:

  1. Log on to the WAF console.
  2. In the top navigation bar, select the region of your WAF instance. International is selected in this example.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Website Access page, click Website Access.
  5. Optional:On the Add Domain Name page, click Manually Add Other Websites.
    Note The Add Domain Name page appears only when a qualified domain name exists. If Add Domain Name does not appear, skip this step.
  6. Follow the Add Domain Name wizard to complete the configuration.
    1. Domain Name: Enter the domain name that needs WAF protection. www.example.us is used in this example.
      Note
      • You can enter a specific domain name, such as www.aliyun.com or a wildcard domain name, such as *.aliyun.com.
        • If you use a wildcard domain name, WAF automatically searches for domain names that match the specified wildcard domain name.
        • If you configure both a wildcard domain name and a specific domain name for a website, forwarding rules and protection policies of the specific domain name prevail over those of the wildcard domain.
      • Domain names suffixed with .edu are not supported. If you need to use a .edu domain name, submit a ticket to request technical support.
    2. Protocol Type: Select the protocol supported by the website. HTTP is selected in this example.
      Note
      • If your website supports HTTPS, select HTTPS, and upload the certificate and the private key file after you set website parameters. For more information, see Upload HTTPS certificate files.
      • After you select HTTPS, click Advanced Settings to enable the HTTP force redirect and HTTP back-to-origin features to ensure efficient access to your website. For more information, see Enable HTTPS advanced settings.
      • To enable protection for HTTP 2.0 requests, make sure that the following requirements are met:
        • Your WAF is upgraded to Business or Enterprise Edition.
        • HTTPS is selected.
    3. Destination Server (IP Address): Select a server address type and enter the address of the origin server.
      You can select IP or Domain Name (Such as CNAME). After your website is connected to WAF, WAF filters and redirects requests to this IP address. In this example, Domain Name (Such as CNAME) is selected, and the CNAME that is assigned to GTM after you configure the basic information in Step 3 is used. For more information, see Step 3: Configure basic information.
    4. Destination Server Port: Specify the service port of the website.
      WAF receives and forwards traffic for your website through the specified ports. The user traffic destined for the website domain name is forwarded only through the specified service ports. For unspecified ports, WAF does not forward traffic received on these ports to the origin servers. Therefore, no security threats are posed on the origin servers if you enable these ports or if these ports have vulnerabilities.
      Notice The protocol and port must be the same as those of the origin server IP address. You cannot change the port after it is specified.
      The custom port 9000 is specified in this topic.
      Note By default, WAF supports the following ports: HTTP ports 80 and 8080, and HTTPS ports 443 and 8443. WAF instances of Business and Enterprise Edition support more non-standard ports, and have corresponding limits on the total number of ports used by the protected domain name. For more information, see View the allowed port range.
    5. Load Balancing Algorithm: If multiple origin server IP addresses are specified, select IP hash or Round-robin. WAF distributes requests to these servers based on the specified algorithm for load balancing.
    6. Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes or No based on the actual status of your website. Yes is selected in this example.
    7. Enable Traffic Mark: Specify whether to enable the traffic mark feature. If you want to mark requests that pass through WAF, you can enable this feature. After you enable this feature, requests that pass through WAF are marked and other requests are not marked. When you enable this feature, you must specify a custom HTTP header field. The header field consists of Header Field Name and Header Field Value. This feature is enabled in this example.
      Note Do not specify a standard HTTP header field, such as User-Agent. Otherwise, the value of the standard header field is overwritten by the custom field value.
  7. Click Next. On the Add Domain Name page, click Copy CNAME to record the CNAME of WAF.
    WebCNAME
  8. Click Next to view the WAF IP address, and then click Completed. Return to the website list.

Step 6: Create a GA instance

  1. Log on to the Global Accelerator console.
  2. On the Instances page, click Create Instance.
  3. On the buy page, configure the parameters, click Buy Now, and then complete the payment.
    1. Select a specification for the GA instance. In this example, Medium Ⅰ is selected.
      GA supports the following types of instance specifications: Small I, Small II, Small III, Medium I, Medium II, and Medium III. The acceleration performance can vary based on the instance specification.
      Instance specification Number of acceleration regions Peak bandwidth Maximum number of concurrent connections
      Small I 1 20 Mbit/s 5,000
      Small II 2 40 Mbit/s 10,000
      Small III 3 60 Mbit/s 15,000
      Medium I 5 100 Mbit/s 25,000
      Medium II 8 160 Mbit/s 40,000
      Medium III 10 200 Mbit/s 50,000
    2. Select a subscription period for the GA instance.
After the instance is created, the system automatically assigns a CNAME to the instance. The CNAME is used to resolve the domain name of the origin servers. CNAME

Step 7: Purchase and associate with a basic bandwidth plan

A basic bandwidth plan provides bandwidth for data transmission over the Internet and within Alibaba Cloud. To achieve global acceleration, you must purchase a basic bandwidth plan and bind the plan to the GA instance.

  1. On the Instances page, click Purchase Basic Bandwidth Plan.
  2. On the buy page, set the following parameters, click Buy Now, and then pay for the order.
    1. Bandwidth Type: Select the type of the basic bandwidth plan.

      In this example, the domain name of the origin server is registered outside China and cannot be hosted on servers in mainland China. Premium is selected to allow users in mainland China to access the web services deployed in the US (Silicon Valley) region through the premium Internet in Hong Kong.

      Basic bandwidth plans support the following types of bandwidth: basic, enhanced, and premium. The following table shows that the acceleration type, acceleration backend service, and acceleration scope of a basic bandwidth plan can vary based on the bandwidth type.
      Bandwidth type Workload type Accelerated object Acceleration scope
      Basic bandwidth Applications that are deployed on Alibaba Cloud
      • Elastic Compute Service (ECS)
      • Server Load Balancer (SLB)
      • Alibaba Cloud public IP address
        Note If ECS instances and SLB instances run in classic networks, both types of instances are not supported.
      By default, networking within mainland China is accelerated. You can also purchase a cross-border bandwidth plan. This allows you to optimize the acceleration of networking between mainland China and other areas.
      Enhanced bandwidth
      • Applications that are deployed on Alibaba Cloud
      • Applications that are not deployed on Alibaba Cloud
      • ECS
      • SLB
      • Alibaba Cloud public IP address
      • Custom IP address
      • Custom domain name
      By default, networking within mainland China is accelerated. You can also purchase a cross-border bandwidth plan. This allows you to optimize the acceleration of networking between mainland China and other areas.
      Premium bandwidth
      • Applications that are deployed on Alibaba Cloud
      • Applications that are not deployed on Alibaba Cloud
      • ECS
      • SLB
      • Alibaba Cloud public IP address
      • Custom IP address
      • Custom domain name
      By default, network connections are accelerated on a global scale. Network traffic transmitted from mainland China to areas outside China is accelerated in the China (Hong Kong) region. If you also purchase a cross-border bandwidth plan, the acceleration of network connections between mainland China and areas outside China are reinforced.
      Note
      • You can specify ECS or SLB as the backend service type only if your account is added to the whitelist of GA. To specify ECS or SLB as the backend service type, submit a ticket.
      • Only an ECS instance or SLB instance that resides in a virtual private cloud (VPC) can be specified as an endpoint.
      • The public IP address of an endpoint group is exclusive for your use.
    2. Peak Bandwidth: Specify the maximum bandwidth value of the basic bandwidth plan. 10Mb is selected in this example.
    3. Duration: Select the duration of the basic bandwidth plan.
  3. Return to the Instances page and click the ID of the GA instance that you created in Step 1.
  4. On the page that appears, click the Bandwidth Manage tab.
  5. In the Basic Bandwidth Package section, find the plan that you want to manage, and click Bind in the Actions column.
    Premium bandwidth
    The basic bandwidth plan is now in the Bound state.

Step 8: Add an area that you want to accelerate

After you purchase a basic bandwidth plan, you can add an acceleration area, specify the acceleration regions where end users are located, and allocate bandwidth to these regions.

  1. On the Instances page, click the ID of the GA instance that is created in Step 6.
  2. On the instance details page, click the Acceleration Regions tab and select the region where you want to accelerate access. In this example, Asia Pacific is selected.
  3. On the Acceleration Areas tab, click Add Acceleration Area.
  4. In the Add Acceleration Area dialog box, set the following parameters, and click OK:
    1. Regions: Select the region where users are located. China (Hong Kong) is selected in this example.
    2. Bandwidth: Select a bandwidth value for the acceleration service. 10 Mbit/s is selected in this topic.

After the area to be accelerated is added, GA assigns an accelerated IP address to each acceleration area to accelerate access to the domain name.

Step 9: Create a listener

A listener is used to check requests from clients. The system forwards requests based on the specified protocol and port.

  1. On the Instances page, click the ID of the GA instance that is created in Step 6.
  2. On the Listeners tab, click Add Listener.
  3. In the Configure Listener & Protocol step of the Add Listener wizard, configure the following parameters. Then, click Next.
    Parameter Description
    Listener Name Enter a name for the listener. The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.
    Protocol Select a protocol for the listener. In this example, TCP is selected.
    Port Number Specify a port for the listener. The port is used to receive and forward requests to endpoints. Valid values: 1 to 65499. In this example, 9000 is used.
    Client Affinity Specify whether to enable client affinity. If client affinity is enabled, requests from the same client can be directed to the same endpoint when the client accesses a stateful application. In this example, Source IP Address is selected.
  4. In the Configure Endpoint Group step, configure the following parameters and click Next.
    1. Enter a name for the endpoint group in the Endpoint Group Name field.
    2. Select the region to which the endpoint group and the backend server belong.
      In this example, US (Silicon Valley) is selected.
    3. Specify whether to deploy the backend service on Alibaba Cloud. In this example, Alibaba Cloud is selected.
    4. Specify whether to reserve client IP addresses. After the feature is enabled, backend servers can obtain source IP addresses of clients. In this example, this feature is disabled.
    5. Configure endpoints.
      Parameter Description
      Backend Service Type In this example, Alibaba Cloud Public IP Address is selected.
      Backend Service Enter the EIP of the backend server. The EIP is used to provide services.
      Weight Specify a weight for the endpoint. Valid values: 0 to 255. GA routes network traffic to each endpoint in proportion to the weight of each endpoint.
      Notice If you set the weight of an endpoint to 0, GA does not route network traffic to the endpoint. Proceed with caution.
      Add Endpoint Click Add Endpoint to specify another server in the US (Silicon Valley) region as an endpoint, and specify a weight.

Step 10: Configure an endpoint group

  1. Enter a name for the endpoint group in the Endpoint Group Name field.
  2. Select the region to which the endpoint group and backend servers belong.
    In this example, network traffic is forwarded to WAF. Therefore, United States (Silicon Valley) is selected.
  3. Specify whether to deploy the backend service on Alibaba Cloud. Off Alibaba Cloud is selected in this example.
  4. Specify whether to reserve client IP addresses. After the feature is enabled, backend servers can obtain source IP addresses of clients. This feature is disabled in this example.
    Note This feature is available to only Alibaba Cloud accounts that are included in the whitelist. To use this feature,submit a ticket.
  5. Configure endpoints.
    1. Backend Service Type: Select Custom Domain Name from the drop-down list.
    2. Backend Service: Enter the IP address of the CNAME assigned by WAF after you set website parameters in Step 5. For more information, see the Step 5: Add website configurations.
    3. Weight: Specify a weight for the endpoint. Valid values: 0 to 255. GA routes traffic to endpoints based on the specified weights.
      Notice If you set the weight of an endpoint to 0, GA does not route network traffic to the endpoint. Proceed with caution.
    endpoint
  6. Click Next, confirm the configurations, and then click Next.

Step 11: Activate the Anti-DDoS Premium service

You can use Anti-DDoS Premium to mitigate DDoS attacks against servers deployed outside mainland China. The Anti-DDoS Premium service filters out attack traffic in scrubbing centers that are deployed closest to visitors and forwards only normal network traffic back to the origin server. This ensures the stability of your workloads.

To purchase an Anti-DDoS Premium instance, perform the following steps:

  1. Log on to the Anti-DDoS Pro console.
  2. On the Instances page, click Purchase Instances.
  3. On the buy page, set the following parameters.
    1. Product Type: Select Anti-DDoS Premium.
    2. Mitigation Plan: Select a mitigation plan for the Anti-DDoS Premium instance that you want to purchase.

      The Unlimited plan is selected in this example.

    3. Clean Bandwidth: Select the bandwidth value of the Anti-DDoS Premium instance.
      The value specifies the maximum traffic load of an Anti-DDoS instance when the instance is not under attack. 100Mbps is selected in this example.
    4. Function Plan: Select a plan.
      You can select Standard Function or Enhanced Function. For more information about the differences between Standard Function and Enhanced Function, see Function plan. Enhanced Function is selected in this example.
    5. Domains: Select the number of HTTP/HTTPS domain names that can be protected by the instance.
      For more information about the number of protected domain names, see Domains. 10 is selected in this example.
    6. Clean QPS: Set the queries per second (QPS).
      This parameter specifies the maximum number of concurrent HTTP or HTTPS requests that the instance can process when no attack occurs. 3000 is selected in this example.
    7. Ports: Select the number of supported ports.
      The number of protected ports equals the maximum number of entries supported for TCP/UDP forwarding. 50 is selected in this example.
    8. Quantity: Select the number of instances that you want to purchase.
    9. Subscription: Select the subscription period of the Anti-DDoS Premium instance.
  4. Click Buy Now to complete the payment.

Step 12: Add a website

The configurations of a website specified in the Anti-DDoS Pro console define how network traffic is transmitted between a website and an Anti-DDoS Pro instance.

Follow these steps to add the website that needs protection to Anti-DDoS Pro:

  1. Log on to the Anti-DDoS Pro console.
  2. In the top status bar, select the region where the service is deployed. Outside Mainland China is selected in this example.
  3. In the left-side navigation pane, choose Provisioning > Website Config.
  4. On the Website Config page, click Add Domain.
  5. On the Add Domain page, enter the website information.
    1. Function Plan: Select a plan for the Anti-DDoS Premium instance that you want to associate with your website.
      Standard and Enhanced are available. For more information, see Function plan. Enhanced is selected in this example.
    2. Instance: Select the Anti-DDoS Pro instance to be associated. You can select up to eight instances for one domain. The instances associated with a domain must use the same function plan.
    3. Domain: Enter the website domain name that requires protection. www.example.us is used in this example.
    4. Protocol: Select the protocols supported by the website. By default, HTTP and HTTPS are selected. This topic uses the default setting.
    5. Server IP: Specify the address type and address of the origin server. In this example, Origin Server IP is selected, and the accelerated IP address is used. The accelerated IP address is the one that the GA instance assigns to the China (Hong Kong) region after you add the acceleration area in Step 8. For more information, see Step 8: Add an area that you want to accelerate.
    6. Server Port: Specify a server port based on the protocol type. In this topic, 9000 is used.
  6. Click Add.

Step 13: Set parameters of Sec-Traffic Manager

Anti-DDoS Pro provides Sec-Traffic Manager to set the interaction rules between Anti-DDoS Pro and other cloud resources. You can set rules to trigger and enable Anti-DDoS Pro in specific scenarios. This helps you keep workloads running smoothly if no DDoS attacks occur, and provides more effective protection when DDoS attacks occur.

To configure Sec-Traffic Manager, follow these steps:

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region of the service. Outside Mainland China is selected in this example.
  3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
  4. On the Cloud Service Interaction tab, click Create Rule.
  5. In the Create Rule dialog box, set the following parameters:
    1. Interaction Scenario: Select an interaction scenario for the rule. In this topic, select Cloud Service Interaction.
    2. Name: Enter the rule name.
      The name can be 1 to 128 characters in length and can contain letters, digits, and underscores (_).
    3. Anti-DDoS Instance IP: Select the Anti-DDoS instance with which you want to associate. In this topic, the Anti-DDoS Premium instance that you create in Step 11 is selected.
    4. Cloud Service: Select the region where the cloud resource is deployed, and then enter the IP address of the cloud resource.
      You can click Add Cloud Resource IP to add more cloud resources. You can add at most 20 IP addresses.

      cn-hongkong is selected and the accelerated IP address is used in this example. The accelerated IP address is the one that the GA instance assigns to the China (Hong Kong) region after you add the accelerated area in Step 8. For more information, see Step 8: Add an area that you want to accelerate.

    5. The waiting time of switching back: The waiting time for triggering the switching back process after GA interacts with Anti-DDoS Pro.
      Black hole deactivation consumes a specific amount of time. Frequent switchback is not recommended. Therefore, the minimum value of this parameter is 30 minutes. The waiting time is set to 60 minutes in this example.
  6. Click Next.
  7. Click Finished.
    After a rule is created, Sec-Traffic Manager assigns a CNAME address to this rule.Sec-Traffic Manager

Step 14: Resolve the domain name to Sec-Traffic Manager

After you create a scheduling rule in Sec-Traffic Manager, you must update the CNAME record of the domain to redirect website traffic from mainland China to Sec-Traffic Manager. The rule takes effect only after you update the CNAME record.
Note If you use a third-party DNS service, log on to the system of the DNS service provider to modify the DNS record of your website.

To resolve the domain name to Sec-Traffic Manager, follow these steps:

  1. Log on to the Alibaba Cloud DNS console.
  2. On the Manage DNS page, find the target domain name, and click Configure in the Actions column.
  3. On the DNS Settings page, click Add Record.
  4. In the Add Record dialog box, configure the record, and click Confirm.
    1. Type: Select a record type.
      In this example, the website domain name is mapped to another domain name. Therefore, CNAME is selected.
    2. Host: Enter the prefix of the accelerated domain name.
      www is entered in this example.
    3. ISP Line: Select Default from the drop-down list.
    4. Value: Set this parameter to the CNAME assigned in Step 13. For more information, see Step 13: Set parameters of Sec-Traffic Manager.
    5. TTL: The TTL value of the IP address that is mapped to the specified domain name.
      10 minute(s) is selected in this example.
  5. Repeat the preceding steps to add CNAME records for ISP lines provided by China Unicom, China Telecom, China Mobile, and China Education Network.
    Add CNAME records

Step 15: Test the connectivity

In regions of mainland China, use a Windows operating system to test the performance of protection and acceleration provided by GA after GA interacts with CDN, Anti-DDoS Pro, WAF, and GTM.

  1. The domain name www.example.us is hosted outside mainland China. Enter this domain in the address bar of the browser to access the application deployed in the US (Silicon Valley) region.
  2. Open the Command Prompt, and run the nslookup <web service domain name> command to check the DNS resolution result.
    • When the origin server is not attacked, the IP address of the GA instance is returned.
    • When the origin server is under attack, the IP address of the Anti-DDoS Premium instance is returned.
  3. Run the nslookup <CNAME access domain name in GTM> command to check the resolution result.
    • If the primary server group is available: The domain name is resolved to the IP address of Server 1 or Server 2. In this topic, the primary server group contains Server 1 and Server 2 that are deployed in the US (Silicon Valley) region.
    • If the primary server group is unavailable, the IP address of Server 3 or Server 4 is returned. In this topic, the primary server group contains Server 1 and Server 2 deployed in the US (Silicon Valley) region.
  4. Run the following command to query the network latency:
    curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "http[s]://<Web service domain>[:<Port>]"
    where:
    • time_connect: the period of time to establish a TCP connection.
    • time_starttransfer: the period of time for the backend server to send the first byte after the client sends a request.
    • time_total: the period of time for the backend server to respond to the session after the client sends a request.